Currently attacks occurs using a vulnerabiliy in a vulnerable FCKEditor version of filemanager, as shipped with some ColdFusion servers:
The vulnerability is about sending a PHP file (as test.php) BUT using a ZIP header as the beginning of the file to bypass the security check, and after put the PHP (or ASP, CFM) code in the file. In this case, the PHP (or ASP, CFM) is evaluated on the server.
This vulnerability is known since October 2008:
http://cve.mitre.org/cgi-bin/cvename.cg ... -2008-6178
Unfortunately, as there is no security section on the FCKeditor Web site (sorry if i miss it, in this thanks for the URL), does anyone know if:
- Is this vulnerability fixed in recent FCKEditor versions ?
- Has a patch been distributed ?
- Is it possible to restrict using internal FCKeditor command access to the filemanager connector, instead of disable it for the moment ?
FCKEditor and current vulnerability exploited in the Wild